Customer selects an item for purchase and prepares to check out.
New authenticated customers are verified by sending a notification to their devices using Amazon Pinpoint.
Authenticated clients make API calls to AWS AppSync using valid JWT tokens generated by Amazon Cognito.
AWS AppSync uses resolvers to make direct calls to different microservices. HTTP resolvers connect to REST endpoints of the user service. An AWS Lambda resolver directs calls to the credit service in a virtual private cloud (VPC).
The communication between the resolvers and the HTTP endpoints are protected with temporary AWS Identity and Access Management (IAM) credentials based on assumed IAM roles. The JSON Web Token (JWT) specific to the authenticated user is also forwarded to each microservice.
A Lambda function is invoked to access the private service hosted in a VPC through AWS PrivateLink. PrivateLink provides private connectivity between the credit service VPC and Lambda on the private AWS network. All services are secured in a way that only the main AWS AppSync API is granted access.
The AWS Well-Architected Framework helps you understand the pros and cons of the decisions you make when building systems in the cloud. The six pillars of the Framework allow you to learn architectural best practices for designing and operating reliable, secure, efficient, cost-effective, and sustainable systems. Using the AWS Well-Architected Tool, available at no charge in the AWS Management Console, you can review your workloads against these best practices by answering a set of questions for each pillar.
The architecture diagram above is an example of a Solution created with Well-Architected best practices in mind. To be fully Well-Architected, you should follow as many Well-Architected best practices as possible.
This Guidance can be scripted using an AWS CloudFormation template. To integrate and deploy changes, use a source control system like AWS CodeCommit to manage code and other artifacts, such as version-controlled AWS CloudFormation templates of your infrastructure. When responding to incidents and events, you can send logs directly from your application to Amazon CloudWatch using the CloudWatch Logs API, or send events using AWS SDK and Amazon EventBridge.
For secure authentication and authorization, AWS Identity and Access Management (IAM) roles are in place for all service interactions in the environments. All data is fully encrypted in transit and in storage. AWS services provide HTTPS endpoints using TLS for communication, thus providing encryption in transit when communicating with the AWS APIs.
To support a highly available network, all components scale automatically; account limits should be clearly defined for the supported product range. To adapt to changes in demand, the solution is modular and can scale with user adoption.
Serverless architectures help to provision the exact resources that the workload needs. Strategies for storage lifecycle management and ensuring auto capacity scaling are used for ingestion and read and write access patterns. To meet the requirements of scaling, traffic and data access patterns, serverless architectures help to provision the exact resources that the workload needs.
This Guidance is designed to be fully optimized for cost, using only resources where necessary and only accessing data using the services appropriate for the business need.
By using managed services and dynamic scaling, you minimize the environmental impact of the backend services. This Guidance uses technologies that support data and access storage patterns that need to be monitored. Doing so ensures that assets, such as data, are stored in the optimum solution based on the read and write access patterns, with close attention to scaling of compute resources closely aligned to the demand.
How AWS is supporting Buy Now Pay Later (BNPL)
The sample code; software libraries; command line tools; proofs of concept; templates; or other related technology (including any of the foregoing that are provided by our personnel) is provided to you as AWS Content under the AWS Customer Agreement, or the relevant written agreement between you and AWS (whichever applies). You should not use this AWS Content in your production accounts, or on production or other critical data. You are responsible for testing, securing, and optimizing the AWS Content, such as sample code, as appropriate for production grade use based on your specific quality control practices and standards. Deploying AWS Content may incur AWS charges for creating or using AWS chargeable resources, such as running Amazon EC2 instances or using Amazon S3 storage.